[asterisk-bugs] [JIRA] (ASTERISK-24815) [patch] Enable TLS Dual-Certificates (ECC+RSA)

Richard Mudgett (JIRA) noreply at issues.asterisk.org
Tue May 5 11:43:33 CDT 2015


    [ https://issues.asterisk.org/jira/browse/ASTERISK-24815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=226113#comment-226113 ] 

Richard Mudgett commented on ASTERISK-24815:
--------------------------------------------

Reviewboard is no longer active since Asterisk switched from SVN to Git.  You need to put the patch up on Gerrit.  Please note that with git you need to create the commit message as part of the review.

https://wiki.asterisk.org/wiki/display/AST/Commit+Messages

> [patch] Enable TLS Dual-Certificates (ECC+RSA)
> ----------------------------------------------
>
>                 Key: ASTERISK-24815
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24815
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: SVN
>            Reporter: Alexander Traud
>            Severity: Minor
>         Attachments: tls_rsa_ecc_dsa.patch
>
>
> Already works for Asterisk as the client. Enables dual- (or triple-) certificates for Asterisk as the server. When a client connects via SSL/TLS, the server uses a RSA key-pair usually. However, more such algorithms exist like DSA and ECDSA. If you go for one of those, you would loose compatibility to RSA-only clients. This patch allows you to provide up-to one RSA, ECDSA and DSA key each. Copied over from the Apache HTTP server project, [added|http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile] in version 2.4.8.
> *Benefit*
> If some of your VoIP clients are not compatible with SHA-2 hashed certificates – for example [Nokia mobile phones|http://discussions.nokia.com/t5/Symbian-Devices/SHA2-support-on-Nikia-C5-E71-and-E72/m-p/2532624#M365219] – you can use RSA/SHA-1 for legacy clients and ECDSA/SHA-2 for everyone else.
> *Usage*
> {{tlscertfile=/etc/asterisk/example_rsa.pem}}
> Then, the code of this patch picks that and searches for files called {{example_ecc.pem}} and {{example_dsa.pem}} automatically.
> Because OpenSSL prefers RSA over ECDSA, see
> {{openssl ciphers -v [DEFAULT|http://www.openssl.org/docs/apps/ciphers.html]}}
> consider re-ordering your cipher suites in sip.conf, for example:
> {{tlscipher=AES128+kEECDH:CHACHA20+kEECDH:AES128+kEDH:3DES+kEDH:+aRSA:+aDSS:AES128-SHA:DES-CBC3-SHA:RC4-SHA:-ADH:-AECDH}}
> to use ECDSA (and PFS) when offered by the client.
> If you use well-known (commercial) certificates, you might use different certificate chains. For this, support [was added|https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943] in OpenSSL 1.0.2. Previously, only the chain of the first certificate was delivered. To compile Asterisk together with that OpenSSL version, for example in Debian:{noformat}sudo apt-get build-dep openssl
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2-1.debian.tar.xz
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2.orig.tar.gz
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2-1.dsc
> wget github.com/PeterMosmans/openssl/archive/1.0.2-chacha.zip
> unzip -qq 1.0.2*chacha.zip
> cd openssl-1.0.2*chacha
> wget ftp.debian.org/debian/pool/main/o/openssl/openssl_1.0.2-1.debian.tar.xz
> tar xf openssl_1.0.2*
> mkdir include/openssl
> cp crypto/idea/idea.h include/openssl/
> cp crypto/mdc2/mdc2.h include/openssl/
> wget www.traud.de/voip/sip/patches/openssl/enable-ssl3-method.patch
> patch -p0 <./enable-ssl3-method.patch
> wget www.traud.de/voip/sip/patches/openssl/engines-path.patch
> mv engines-path.patch debian/patches/
> wget www.traud.de/voip/sip/patches/openssl/version-script.patch
> mv version-script.patch debian/patches/
> dpkg-buildpackage -us -uc -nc
> cd /usr/src/asterisk*
> sudo service asterisk stop
> sudo make distclean
> ./configure --with-ssl='/usr/src/openssl-1.0.2-chacha'
> sudo make install CC='gcc -Wl,-rpath /usr/src/openssl-1.0.2-chacha'{noformat}This patch was tested in Ubuntu 14.04 LTS with a certificate from [Comodo|https://www.gogetssl.com/domain-validation/comodo-positive-ssl/] (ECC; chains-up to AddTrust and UTN) and [RapidSSL|https://www.gogetssl.com/domain-validation/rapidssl-standard/] (RSA; chains-up to GeoTrust and Equifax). TLS clients were [CounterPath Bria|http://appworld.blackberry.com/webstore/content/28329074/] (BlackBerry) and [CSipSimple|https://play.google.com/store/apps/details?id=com.csipsimple] (Android).



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list